Malware Analysis Report

2025-01-22 12:55

Sample ID 240522-w3929sbh9t
Target b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664
SHA256 b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664

Threat Level: Shows suspicious behavior

The file b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Drops file in Windows directory

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 18:28

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 18:27

Reported

2024-05-22 18:29

Platform

win10v2004-20240426-en

Max time kernel

106s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2229298842\4093295890.pri C:\Windows\system32\LogonUI.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "12" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe

"C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3976855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipe.exejm.com udp
CN 112.192.19.238:5006 ipe.exejm.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CN 112.192.19.238:5007 ipe.exejm.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
CN 112.192.19.238:5008 ipe.exejm.com tcp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
CN 112.192.19.238:5009 ipe.exejm.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 51.104.15.253:443 tcp
US 8.8.8.8:53 udp

Files

memory/5016-1-0x0000000002890000-0x0000000002891000-memory.dmp

memory/5016-4-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/5016-7-0x0000000002900000-0x0000000002901000-memory.dmp

memory/5016-6-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/5016-5-0x00000000006AF000-0x00000000008FC000-memory.dmp

memory/5016-3-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/5016-2-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/5016-8-0x0000000000400000-0x0000000000C53000-memory.dmp

memory/5016-0-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/5016-12-0x0000000002B40000-0x0000000002C7C000-memory.dmp

memory/5016-13-0x0000000002B40000-0x0000000002C7C000-memory.dmp

memory/5016-622-0x0000000000400000-0x0000000000C53000-memory.dmp

memory/5016-1935-0x0000000000400000-0x0000000000C53000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 18:27

Reported

2024-05-22 18:29

Platform

win7-20240508-en

Max time kernel

105s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe

"C:\Users\Admin\AppData\Local\Temp\b4964de4b953c507a0f37e76281607a85d8ff1e17b8e48366967ccb32180b664.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipe.exejm.com udp
CN 112.192.19.238:5006 ipe.exejm.com tcp
CN 112.192.19.238:5007 ipe.exejm.com tcp
CN 112.192.19.238:5008 ipe.exejm.com tcp
CN 112.192.19.238:5009 ipe.exejm.com tcp

Files

memory/1576-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1576-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1576-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1576-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1576-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1576-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1576-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1576-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1576-17-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1576-35-0x0000000000400000-0x0000000000C53000-memory.dmp

memory/1576-36-0x00000000006AF000-0x00000000008FC000-memory.dmp

memory/1576-34-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1576-32-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1576-30-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1576-29-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1576-27-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1576-24-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1576-22-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1576-19-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1576-41-0x0000000002680000-0x00000000027BC000-memory.dmp

memory/3396-656-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1576-1459-0x0000000000400000-0x0000000000C53000-memory.dmp

memory/3716-1460-0x0000000002AB0000-0x0000000002AB1000-memory.dmp